Merge branch 'master' into master

Makefile

@@ -186,7 +186,6 @@ e2e-helm-install:
 
 e2e-helm-deploy: e2e-helm-install
 ifeq ($(ENABLE_PUBSUB),true)
-	@echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999"}' > .tmp/annotations.yaml
 	./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper \
 		--namespace ${GATEKEEPER_NAMESPACE} \
 		--debug --wait \
@@ -206,7 +205,9 @@ ifeq ($(ENABLE_PUBSUB),true)
 		--set audit.enablePubsub=${ENABLE_PUBSUB} \
 		--set audit.connection=${AUDIT_CONNECTION} \
 		--set audit.channel=${AUDIT_CHANNEL} \
-		--values .tmp/annotations.yaml \
+		--set-string auditPodAnnotations.dapr\\.io/enabled=true \
+		--set-string auditPodAnnotations.dapr\\.io/app-id=audit \
+		--set-string auditPodAnnotations.dapr\\.io/metrics-port=9999 \
 		--set mutationAnnotations=true;
 else
 	./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper \

build/tooling/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-bullseye@sha256:adf7ccb07fe8ccadf7bb0317f02d2c3a4916f824a23f6975fd36c4bd7feece3f
+FROM golang:1.21-bullseye@sha256:47fa179d4966a0950485ede2ef81567bb1cf62e1e87af07e9830e5c928d06cd0
 
 RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0
 RUN GO111MODULE=on go install k8s.io/code-generator/cmd/conversion-gen@v0.25.4

pkg/audit/manager.go

@@ -510,12 +510,12 @@ func (am *Manager) auditFromCache(ctx context.Context) ([]Result, []error) {
 
 		excluded, err := am.skipExcludedNamespace(&obj)
 		if err != nil {
-			am.log.Error(err, "Unable to exclude object namespace for audit from cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName())
+			am.log.Error(err, fmt.Sprintf("Unable to exclude object namespace for audit from cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName()))
 			continue
 		}
 
 		if excluded {
-			am.log.V(logging.DebugLevel).Info("excluding object from audit from cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName())
+			am.log.V(logging.DebugLevel).Info(fmt.Sprintf("excluding object from audit from cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName()))
 			continue
 		}
 
@@ -525,7 +525,7 @@ func (am *Manager) auditFromCache(ctx context.Context) ([]Result, []error) {
 		}
 		resp, err := am.opa.Review(ctx, au, drivers.Stats(*logStatsAudit))
 		if err != nil {
-			am.log.Error(err, "Unable to review object from audit cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName())
+			am.log.Error(err, fmt.Sprintf("Unable to review object from audit cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName()))
 			continue
 		}
 

test/image/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-bullseye@sha256:adf7ccb07fe8ccadf7bb0317f02d2c3a4916f824a23f6975fd36c4bd7feece3f as builder
+FROM golang:1.21-bullseye@sha256:47fa179d4966a0950485ede2ef81567bb1cf62e1e87af07e9830e5c928d06cd0 as builder
 
 ARG BATS_VERSION
 ARG ORAS_VERSION

website/docs/help.md

@@ -112,4 +112,8 @@ If you want to contribute to Helm chart, Gatekeeper auto-generates versioned Hel
 
 ## Contributing to Code
 
-If you want to contribute code, check out the [Developers](developers.md) guide to get started.
+If you want to contribute code, check out the [Developers](developers.md) guide to get started.
+
+## Contributing Templates
+
+If you'd like to contribute a Constraint Template to the [Gatekeeper Policy Library](https://open-policy-agent.github.io/gatekeeper-library/website/), you can find documentation on how to do that [here in the library's README](https://github.com/open-policy-agent/gatekeeper-library?tab=readme-ov-file#how-to-contribute-to-the-library).

website/docs/howto.md

@@ -138,16 +138,5 @@ kubectl get constraints
 ```
 
 ### Input Review
+You can view information on the `input.review` object that Gatekeeper takes as input [here](./input.md)
 
-The `input.review` object stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It has the following fields:
-- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
-- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
-- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
-- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
-- `object`: The request object under evaluation to be created or modified.
-- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
-- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
-- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
-- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.
-
-> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources. 

website/docs/input.md

@@ -0,0 +1,75 @@
+---
+id: input
+title: Admission Review Input
+---
+
+The data that's passed to Gatekeeper for review is in the form of an `input.review` object that stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It follows a structure that contains the object being created, and in the case of update operations the old object being updated. It has the following fields:
+- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
+- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
+- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
+- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
+- `object`: The request object under evaluation to be created or modified.
+- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
+- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
+- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
+- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.
+
+> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources. 
+
+You can see an example of the request structure below.
+
+```json
+{
+  "apiVersion": "admission.k8s.io/v1",
+  "kind": "AdmissionReview",
+  "request": {
+    "uid": "abc123",
+    "kind": {
+      "group": "apps",
+      "version": "v1",
+      "kind": "Deployment"
+    },
+    "resource": {
+      "group": "apps",
+      "version": "v1",
+      "resource": "deployments"
+    },
+    "namespace": "default",
+    "operation": "CREATE",
+    "userInfo": {
+      "username": "john_doe",
+      "groups": ["developers"]
+    },
+    "object": {
+      // The resource object being created, updated, or deleted
+      "metadata": {
+        "name": "my-deployment",
+        "labels": {
+          "app": "my-app",
+          "env": "production"
+        }
+      },
+      "spec": {
+        // Specific configuration for the resource
+        "replicas": 3,
+        // ... other fields ...
+      }
+    },
+    "oldObject": {
+      // For update requests, the previous state of the resource
+      "metadata": {
+        "name": "my-deployment",
+        "labels": {
+          "app": "my-app",
+          "env": "staging"
+        }
+      },
+      "spec": {
+        // Previous configuration for the resource
+        "replicas": 2,
+        // ... other fields ...
+      }
+    }
+  }
+}
+```

website/sidebars.js

@@ -52,7 +52,10 @@ module.exports = {
       type: 'category',
       label: 'Concepts',
       collapsed: false,
-      items: ['mutation-background']
+      items: [
+        'input',
+        'mutation-background'
+      ]
     },
     {
       type: 'category',

website/versioned_docs/version-v3.14.x/help.md

@@ -112,4 +112,8 @@ If you want to contribute to Helm chart, Gatekeeper auto-generates versioned Hel
 
 ## Contributing to Code
 
-If you want to contribute code, check out the [Developers](developers.md) guide to get started.
+If you want to contribute code, check out the [Developers](developers.md) guide to get started.
+
+## Contributing Templates
+
+If you'd like to contribute a Constraint Template to the [Gatekeeper Policy Library](https://open-policy-agent.github.io/gatekeeper-library/website/), you can find documentation on how to do that [here in the library's README](https://github.com/open-policy-agent/gatekeeper-library?tab=readme-ov-file#how-to-contribute-to-the-library).

website/versioned_docs/version-v3.14.x/howto.md

@@ -138,16 +138,4 @@ kubectl get constraints
 ```
 
 ### Input Review
-
-The `input.review` object stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It has the following fields:
-- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
-- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
-- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
-- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
-- `object`: The request object under evaluation to be created or modified.
-- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
-- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
-- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
-- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.
-
-> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources. 
+You can view information on the `input.review` object that Gatekeeper takes as input [here](./input.md)

website/versioned_docs/version-v3.14.x/input.md

@@ -0,0 +1,75 @@
+---
+id: input
+title: Admission Review Input
+---
+
+The data that's passed to Gatekeeper for review is in the form of an `input.review` object that stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It follows a structure that contains the object being created, and in the case of update operations the old object being updated. It has the following fields:
+- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
+- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
+- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
+- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
+- `object`: The request object under evaluation to be created or modified.
+- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
+- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
+- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
+- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.
+
+> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources. 
+
+You can see an example of the request structure below.
+
+```json
+{
+  "apiVersion": "admission.k8s.io/v1",
+  "kind": "AdmissionReview",
+  "request": {
+    "uid": "abc123",
+    "kind": {
+      "group": "apps",
+      "version": "v1",
+      "kind": "Deployment"
+    },
+    "resource": {
+      "group": "apps",
+      "version": "v1",
+      "resource": "deployments"
+    },
+    "namespace": "default",
+    "operation": "CREATE",
+    "userInfo": {
+      "username": "john_doe",
+      "groups": ["developers"]
+    },
+    "object": {
+      // The resource object being created, updated, or deleted
+      "metadata": {
+        "name": "my-deployment",
+        "labels": {
+          "app": "my-app",
+          "env": "production"
+        }
+      },
+      "spec": {
+        // Specific configuration for the resource
+        "replicas": 3,
+        // ... other fields ...
+      }
+    },
+    "oldObject": {
+      // For update requests, the previous state of the resource
+      "metadata": {
+        "name": "my-deployment",
+        "labels": {
+          "app": "my-app",
+          "env": "staging"
+        }
+      },
+      "spec": {
+        // Previous configuration for the resource
+        "replicas": 2,
+        // ... other fields ...
+      }
+    }
+  }
+}
+```

website/versioned_sidebars/version-v3.14.x-sidebars.json

@@ -53,6 +53,7 @@
       "label": "Concepts",
       "collapsed": false,
       "items": [
+        "input",
         "mutation-background"
       ]
     },